Pivot scenario from region-based 2 users to source-based 4 users
Replaces the original APAC-vs-all 2-user demo (vpduser_a/b on KR_ANALYSTS/GLOBAL_ADMINS groups) with a 2x2 source-access matrix: vpduser_my -> MY_ONLY group -> MySQL view only vpduser_pg -> PG_ONLY group -> Postgres view only vpduser_both -> BOTH_SOURCES group -> both views vpduser_none -> (no group) -> nothing (default deny) Why: source-level segmentation is the more common production permission story than region-level filtering. Region filtering remains available as an opt-in variant via commented UPDATE in sql/adb/03_seed.sql. Key changes: - 03_seed.sql, 07_end_users.sql, 00_cleanup.sql, .env.example, run.sh updated for the new 4-user model. All 4 users get identical view GRANTs; the only differentiator is the permission table (proves the model is "data-driven, not GRANT-driven"). - 08-11 split into one file per user: my (+ 5 bypass attempts), pg, both, none (default-deny verification). - 12_tests_admin_audit.sql uses LEFT JOIN so vpduser_none shows up as NULL permissions, and filters by object_owner=USER to exclude cross-schema policies. - Removed inline "-- comment" after ";" lines in 03_seed.sql: SQL*Plus silently skipped the inserts (documented gotcha). - README.md + docs/01,02 updated for the 4-user matrix. docs/03 detailed guide keeps the region-filter example but now has a preface explaining it's a variant of the default 4-user model. - docs/04: db_type='mysql_community' note added (RDS MySQL). E2E verified: PG=0/MY=17, PG=12/MY=0, PG=12/MY=17, PG=0/MY=0 plus all 5 bypass attempts blocked. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
devmrko
53
sql/adb/11_tests_user_none.sql
Normal file
53
sql/adb/11_tests_user_none.sql
Normal file
@@ -0,0 +1,53 @@
|
||||
-- ============================================================
|
||||
-- 11_tests_user_none.sql
|
||||
-- Run as VPDUSER_NONE — the "default deny" case.
|
||||
--
|
||||
-- This user has CREATE SESSION and SELECT on both views, but ZERO
|
||||
-- rows in the permission table. The LOGON trigger still fires and
|
||||
-- ctx_pkg.init still runs — it just finds nothing to load.
|
||||
--
|
||||
-- Expected:
|
||||
-- - regions_pg = NULL AND regions_my = NULL
|
||||
-- - Both views return 0 rows (policy returns '1=0' / fail-closed)
|
||||
-- - This proves the model is "deny by default" — adding a user
|
||||
-- without a permission row is automatically safe.
|
||||
-- ============================================================
|
||||
SET FEEDBACK ON
|
||||
SET LINESIZE 200
|
||||
SET PAGESIZE 100
|
||||
|
||||
PROMPT
|
||||
PROMPT === Who am I, and what context did the LOGON trigger load? ===
|
||||
PROMPT === (expect: regions_pg and regions_my both NULL) ===
|
||||
SELECT USER AS session_user,
|
||||
SYS_CONTEXT('VPD_CTX','USER_ID') AS app_user_id,
|
||||
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_PG') AS regions_pg,
|
||||
SYS_CONTEXT('VPD_CTX','V_CUSTOMERS_MY') AS regions_my
|
||||
FROM dual;
|
||||
|
||||
PROMPT
|
||||
PROMPT === Row counts (expect: PG=0, MY=0 — fail-closed) ===
|
||||
SELECT 'V_CUSTOMERS_PG' AS view_name, COUNT(*) AS rows_visible FROM admin.v_customers_pg
|
||||
UNION ALL
|
||||
SELECT 'V_CUSTOMERS_MY', COUNT(*) FROM admin.v_customers_my;
|
||||
|
||||
PROMPT
|
||||
PROMPT === Confirm no rows leak through despite the GRANT on the view ===
|
||||
SELECT * FROM admin.v_customers_pg WHERE ROWNUM <= 1;
|
||||
SELECT * FROM admin.v_customers_my WHERE ROWNUM <= 1;
|
||||
|
||||
PROMPT
|
||||
PROMPT === BYPASS: even with no permission row, all 4 bypass surfaces blocked ===
|
||||
WHENEVER SQLERROR CONTINUE;
|
||||
SELECT COUNT(*) FROM "public"."customers"@RDS_POSTGRES_LINK;
|
||||
SELECT COUNT(*) FROM admin.permission;
|
||||
BEGIN
|
||||
DBMS_SESSION.SET_CONTEXT('VPD_CTX','V_CUSTOMERS_PG','*');
|
||||
END;
|
||||
/
|
||||
BEGIN
|
||||
DBMS_RLS.DROP_POLICY('ADMIN','V_CUSTOMERS_PG','CUSTOMERS_PG_POLICY');
|
||||
END;
|
||||
/
|
||||
|
||||
EXIT;
|
||||
Reference in New Issue
Block a user